The Internet Isn't 'Critical Infrastructure'

from the cyber-hysteria dept

A new report (PDF, via Slashdot), by a security analyst named Gadi Evron, analyzes the recent Estonian "cyber-attacks" and makes recommendations about how to deal with such attacks in the future. While it makes some good suggestions, it also rather dramatically overstates the nature of the threat. For example: "The Estonian authorities need to revise some of their former preconceptions and define the Internet as critical infrastructure, equally strategic to national security as its electricity grid and water supply." This is rather silly. If the water supply is cut off, people can die of thirst or sanitation problems. If the electricity grid fails, it can lead to the death of old people dependent on their air conditioners or medical devices. If the Internet fails, it's a big headache for a lot of people, but it's unlikely to be a life-threatening emergency.

The report points out that some mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that's true, the lesson of the Estonian attacks isn't that the Internet is "critical infrastructure" on par with electricity and water, but that it's stupid to build "critical infrastructure" on top of the public Internet. There's a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea. The Internet's architecture is optimized to be cheap and ubiquitous; such a network is never going to be perfectly secure or reliable. There are too many botnets, incompetent administrators, and other problems on the Internet. And so transactions that absolutely have to be done correctly and on time need to be done on a dedicated network, or at least the people doing them need to have a backup plan in case the Internet has problems.

But the report takes the opposite approach, essentially concluding that because people do important things on the Internet, the Internet needs to be treated as an essential national security asset. This reaches absurd lengths when Evron writes that because attacks often originate from botnets consisting of compromised personal computers, "personal computers need to be reprioritized and considered as critical infrastructure." He doesn't discuss what that means in any detail -- maybe they can post soldiers with automatic weapons outside peoples' home offices. Evron concedes that "the attacks in Estonia did not hurt critical infrastructure, energy, and transportation," but nevertheless insists that "an Internet-staged attack on energy could easily disrupt entire supply and distribution chains, prompting severe shortages." He never elaborates on how that would work, but if he's right, the solution is to do a better job of separating critical infrastructure from the public Internet.

Wide-scale cyber-vandalism is a real problem, and it's good to be talking about ways to respond to it more effectively. But we need to keep a sense of perspective. Launching a distributed denial-of-service attack -- even a really big one -- is nothing like conventional warfare or a terrorist attack. Terrorism and warfare lead to massive loss of life and destruction of property. Internet vandalism rarely involves more than a few hours' inconvenience and lost productivity. That's certainly something we should try to prevent, but we shouldn't blow it out of proportion.

Banks maintain dedicated infrastructure?

That's not true. Most US banks at least are extremely reliant on the Internet. Many banks exchange only check images with the Federal Reserve and do so strictly over the Internet. ACH commonly operates over Internet VPN, with dial up backup. Wire transfers and transactions between banks also commonly use the Internet. Banks *should* have backup procedures for the critical and time sensitive things, but I'm sure some don't, or they aren't adequately tested.

The Internet probably isn't life-or-death critical, but it's absolutely "critical infrastructure." The business disruption if it were unavailable is significant enough to justify that label.

Timothy Lee makes sense

Satan killed by giant snowball.

Seriously, good post. A tool which wasn't used by anyone just over a decade ago, which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure.

Telephony, telemedicine...

Interesting that you made absolutely no mention of telephony. Isn't the phone network considered "critical infrastructure", particularly the ability to make emergency calls? To the point where government regulators are looking seriously at the growth of VoIP, to ensure that customers of such services will still be able to make emergency calls?

Another instance is the growth of telemedicine. Some are even experimenting with robotic surgery controlled remotely. Imagine if the connection went down after you had cut a blood vessel, but before you could tie it off? Not nice.

So, yes, the Internet is certainly becoming critical infrastructure, even if you don't think it is yet.

Water supplies and electrical grids are all completely controlled by means of computer now in most countries that aren't considered 3rd world. Not to mention "less" critical institutions such as banks, communications etc.

Communications ?! Most last-mile Internet communications run on existing non-dedicated infrastructure (except for fiber here and there), not the other way around. Cell voice communication is also not related to IP, neither is radio/television, etc...

Wrong!

The Internet is extremely critical! How else would we know about these kinds of dumb assumptions if we can't read them every dat here at TechDirt!

To be honest, I know that there are plans to make the Internet a bit more critical for medical purposes. Especially for diabetics and other people who can use the Internet to upload thei bloodsugar values to their doctors so the doctor can alter their medicines appropiately. There will be plenty of medical devices that will communicate with these doctors from the patients home. Having a dedicated network to the patients home is very expensive. Keeping the patient hospitalized is also expensive. Having a patient at home with some remote devices to monitor their health is just good common sense. But only for non-critical devices at this moment since the Internet itself is non-critical.

What an idiotic story. I honestly thought, by the headline, that some ranking official said that the internet was not critical infrastructure, and the this article was going to dispute that. Come to find out you are trying to convince us it really is not??? I never would have expected a story like this on a tech website of all places.

critical

Well, just browsing (and skimming articles, didn't get a chance to go full through) but something to take note of is the economy on the internet. A lot of sales. A lot of money. Revenue. Money makes a lot of this little world go around, and it's oh so important and crucial.. I'd think!!

ARPAnet vs. Internet

The ARPAnet was designed to be critical infrastructure which could survive massive disruptions -- hence the fundamental end-to-end nature of its communication protocols. The Internet's architecture carries forward many of those implementation details, but is clearly not designed as critical infrastructure, and it would be an enormous strategic mistake to consider it so.

If it were desirable and/or necessary to build an Internet-like network suitable for CNI, then many things would need to be revisited -- enough that I think "start over" would succinctly describe the process.

Here's an example of what I mean: take SMTP (Simple Mail Transport Protocol) as an example. SMTP is "best-effort"; there is no guarantee that your mail message will be delivered or even that you'll be notified if it isn't delivered. However, it works a sufficiently high percentage of the time that many people are convinced that it can be relied on. It can't. It shouldn't. Similar examples abound -- which has unfortunately not stopped any number of people from presuming that things are otherwise and designing/deploying services on top of them. These are failures-in-the-making, houses built on quicksand.

The Internet IS Critical

I can think of at least 10 industries off the top of my head, and countless more businesses, that rely on the internet to operate. If the internet went down, they would not be able to do business as they do today. Costs would sky rocket and whole ways of doing things would grind to a complete hault as they tried to work around what they had come to rely on over the last 2 decades.
The claim that the internet is not critical is foolish, near-sighted, and quite frankly ABSURD.
Poorly thought out article is poorly thought out.

Is too! :)

Perhaps instead of comparing the Internet to the power and water infrastructure, Evron should have compared it to a transportation infrastructure, which is clearly essential to national security. Roads and trains are certainly critical infrastructure, and though not as fragile as the internet, wars have been won or lost based on the presence or absence of a good system of transportation, the infrastructure's bottlenecks, like bridges and airports, are always important military targets.

I think the Internet should be seen as part of a country's communication infrastructure (which is clearly critical), along with the phone system and any private communication networks that exist.

Umm... Some of y

I've got a simple question

I understand that here in the US, and probably a lot of other places, depend heavily on the Internet. But my question is how would it be taken down? The entire concept of the Internet is based on redundancy. If a large part (or small part) of the web goes down, traffic is automatically rerouted. It's not as fragile as people think.

The linked to report references countries that are really just starting into the Internet and their connections could easily be taken down but they don't fully rely on it yet.

Re: Banks maintain dedicated infrastructure?

Perhaps that's the case in the United States. I know for a fact that it is not in Canada. While banks and credit unions in Canada do make extensive use of the Internet critical transactions including ATM transactions are done on dedicated data circuits.

The loss of a few retail banking locations anywhere does not a critical infrastructure make.

Anything that can take down the entire North American part of the Internet would have repercussions well beyond banking or anything else. It would also be incredibly hard to do due to the size difference between Estonia and the much larger and more redundant Internet of Canada and the US.

As Tim says, the solution proposed is silly and, in this case, the cure is worse than the alleged problem.

Re: Telephony, telemedicine...

I work in the telecom industry at the network level and I can tell you for a fact that it does not depend in any way shape or form on the Internet being up.

The VoIP issue around 911 calls is that people can dial 911 on VoIP but a call from say, Anchorage, to 911 is just as likely to end up in a call centre in Dallas as anything seriously delaying response time. That is the issue the regulators are looking at. Not the broader issue of how VoIP ties into the much wider telecom network.

Should a Central Office switch go down you can't make any calls anyway, 911 or otherwise. It happens. Not often but it does happen.

Telemedicine circuits are nailed down physical circuits that do not go through the Internet. That's way too slow. Not to mention the way the Internet routes a connection speed and video fidelity become an issue. So the circuits involved are dedicated and go nowhere near the Internet. The "pipe" is huge rated in GB/sec which is guaranteed. I've installed, tested and trouble shot a few of those in my time.

The telecom network and associated technologies that ride on it are not bound to or reliant on the Internet. So don't go calling the Internet "critical infrastructure" because of concerns about them. Simply put, they're different.

Re: The Internet IS Critical

If you think that any of these industries or businesses rely 100% on the Internet for their data communications (or even voice through VoIP) I have a bridge I want to sell you.

Mind you, if any do they're looking to strangle themselves should their Internet connections go down for any reason completely unrelated to to attacks.

All of them have high speed point to point or distributed connections that they lease from Telcos or Cablecos which bypass the Internet simply because it isn't reliable enough or secure enough to rely on for critical tasks. These industries and businesses know that even if a self serving security "analyst" doesn't.

Yeah, the electrical grid is considered critical infrastructure. The telecom network is considered critical infrastructure but both go down. Blackouts occur. Switches fail.

Re: The Internet IS Critical

The mere fact that some inadequately educated people rely on the Internet as if it were critical infrastructure does not make it so. It merely means that they are lacking in a solid grounding in the fundamentals, and have therefore presumed that it's reliable -- because they want it to be.

Unsurprisingly, these are often the same people who whine when their faulty assumption turns out to be... faulty.

Those equipped with sufficient experience are well aware that critical communications require dedicated infrastructure designed, built and operated for that purpose, and the Internet isn't it.

Re: I've got a simple question

You're correct in noting that redundancy is built into the routing architecture of the Internet. It's also true that its core protocols are designed to function reasonably well in the presence of disruption, slow links, congestion, etc.

However: a sufficiently-well designed DoS attack launched from a few thousand ordinary desktop systems with sufficient network diversity would be enough to cause serious problems on the scale of "North American network". Given that there are currently at least 100 million fully-compromised systems out there (with access for sale) it's clear that the computing resources are trivially easy to acquire at modest cost...which leaves only the expertise.

And that's available as well, albeit at markedly higher cost due to its scarcity. (So why haven't we seen such
an attack? Because it's not profitable. Yet.)

Actually it IS critical

Unfortunately, you can't outlaw stupidity. So whether it's faulty assumptions, idiots in charge, whatever, the internet has become critical infrastructure. Don't think so? How about the incident with TVA? Don't think elimination of power to millions of people for a few days isn't critical? Go google on SCADA attacks. That affects electric and water, which have been mentioned by naysayers as critical. Think TVA are the only idiots? Roughly 80% of the US critical infrastructure is owned by private industry, not the government. Think those private companies aren't taking every possible measure to maximize profits? Think a 'free' communications infrastructure isn't going to be used versus an expensive private circuit? If you don't think the internet is critical infrastructure, you haven't been paying attention to the real world for the past 10 years.

Re: Re: I've got a simple question

But that's kinda my point. Where would these DoS attacks point? You take out one DNS server another pops up in it's place, you take out 4 another 4 pop up in their place.

For example: Microsoft gets hit by DoS attacks all the time. Last I heard they were the number one target online. Not once have I noticed a problem. The trick is that routers are smart enough to block DoS attacks nowadays, servers are better suited to stand up against them, and Microsoft has several servers running the same data all around the country for just such a situation.

RE: Re: Re: I've got a simple question

"How would one go about taking out the "North American Network"?" Well, a zero-day attack on BIND could theoretically take out or corrupt all 13 root servers for a while. Not so easy to replace those in a short period of time. Couple that with a nice physical attack on MAE West and East. Maybe throw in a few backhoes on known fiber links across the country. North America would pretty much be toast.

Re: Re: Re: I've got a simple question

The attacks you describe aren't particularly sophisticated, which is why they're relatively easy to fend off. (Note, however, that Microsoft had a major, well-publicized DNS outage a few years back due to poor infrastructure planning.)
And it's also true that a good deal of routing infrastructure has anti-DoS mechanisms built into it.

That's why I said "sufficiently well-designed"; simple attacks may cause local issues and may be annoying, but they're unlikely to cause large-scale problems. I'm not about to provide a how-to guide here, but I'll suggest that studious reading of traffic on NANOG, various security mailing lists, dns-ops, etc. combined with a little topological thinking will soon suggest some possibilities.
(In particular: consider where attack sources are located relative to attack targets. Then think about exactly how anti-DoS mechanisms work.)

Re: Re: Telephony, telemedicine...

VoIP as an endpoint may be small, but a lot of telco traffic is routed on the same infrastructure as the 'net, often through the same cabling. There are a lot of people in the telco business who are in denial about this, but that's part of what's driven long-distance costs though the floor.

Also, critical infrastructure depends on how you define it.

Is the ability of supermarkets to place re-stocking orders critical? No? What would happen if there were no food deliveries to New York city for 4 days?

Internet voting

Internet voting has already been successfully used in a couple of countries. The Netherlands used it in the last election, for example, and it's been deployed elsewhere with success.

There is no technical reason why it could not be successfully implemented. There may be political, budgetary or other reasons, but a well designed system would be subject to no more or less fraud than any other electronic voting system.

Cyber warfare exists but it is more than the Internet

Unfortunately what I see in this article is a serious misperception of what the Internet is and what war does. The Internet is inclusive of all of the world wide web hosted sites, the SCADA networks of many core infrastructures, and even your cable television at home. The Internet is an inclusive term that is all of the packet networks that are connected together.

Many people do not understand that there are different kinds of war and not all are found in the terms of kinetic (bombs & bullets) warfare. There are also trade wars, cold wars, and so much more. The totality of conflict is a spectrum from low intensity policing to nuclear war. See the Gold Water Nichols Act of 1986 for the first foray into limited scope conflict legally.

Cyber warfare can take the appearance of kinetic weapons such as when DHS released video of a generator blowing up because the phase had been changed by the SCADA system. Systems that until recently that were connected to the Internet for ease of operation. Until mid to late 1999 the central control units for the different North American Power grids were controlled through ISDN routers.

At any place you find command, control, communication, coordination, information systems you find the possibility of cyber warfare. In fact cyber warfare sits at the same nexus as all communications channels. This is consistent with the writings of Sun Tzu and knowing/spying on your enemy, It is consistent with Karl Clausewitz considerations of spying and controlling communication.

Consider that every unmanned aerial vehicle (UAV), many of the radios, telefaxes, and so much more of the general military architecture uses the different packet networks and you begin to realize the validity of the threat. Changing the targeting of a UAV would attack the very integrity of the vehicles capability.

The Estonian example is not a good example of cyber warfare. It is more like cyber hooliganism. What is a good example of conflict in cyber space is Titan Rain and other spy capers. The Estonian example exploited the availability of systems and in some cases the integrity of the message. Titan Rain though was an exploit of confidentiality. As the McCumber Cube is turned on end and the basic security services are exploited the capabilities of cyber warfare are more easily perceived.

Re: Actually it IS critical

Here's another similar example. I know a doctor who won't go into the office in the mornings until after he's had his morning joe. Whether he should rely on coffee this way or not is irrelevant, he just does. Now nobody can argue that medical care isn't critical so that makes the national coffee supply "critical infrastructure" too. If you don't think the coffee supply is critical infrastructure, you haven't been paying attention to the real world.

Real-life story

Maybe I can help out a little with a real-life example. I was stationed with an emergency services crew in an area north and west of New Orleans in preparation for Katrina. We set up a temporary command center, but never anticipated the extent of the flooding, or the fact that it would take out cell towers, radio transmitters and repeaters, TV stations, and every other communication channel we had. Our internet connection was the only thing in our command center that continued to work, and that is how we were able to find out where to dispatch our rescue crews. I think that qualifies as "critical".

Also...

Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."

The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?

Real-life story

Maybe I can help out a little with a real-life example. I was stationed with an emergency services crew in an area north and west of New Orleans in preparation for Katrina. We set up a temporary command center, but never anticipated the extent of the flooding, or the fact that it would take out cell towers, radio transmitters and repeaters, TV stations, and every other communication channel we had. Our internet connection was the only thing in our command center that continued to work, and that is how we were able to find out where to dispatch our rescue crews. I think that qualifies as "critical".

Also...

Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."

The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?

Real-life story

Maybe I can help out a little with a real-life example. I was stationed with an emergency services crew in an area north and west of New Orleans in preparation for Katrina. We set up a temporary command center, but never anticipated the extent of the flooding, or the fact that it would take out cell towers, radio transmitters and repeaters, TV stations, and every other communication channel we had. Our internet connection was the only thing in our command center that continued to work, and that is how we were able to find out where to dispatch our rescue crews. I think that qualifies as "critical".

Also...

Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."

The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?

Submit button got stuck?

Re: Real-life story

I was stationed with an emergency services crew in an area north and west of New Orleans in preparation for Katrina. We set up a temporary command center, but never anticipated the extent of the flooding, or the fact that it would take out cell towers, radio transmitters and repeaters, TV stations, and every other communication channel we had.

Then your group wasn't very prepared or competent. To expect local communications systems to survive a hurricane is foolish.

Our internet connection was the only thing in our command center that continued to work, and that is how we were able to find out where to dispatch our rescue crews. I think that qualifies as "critical".

No, that qualifies as getting lucky. But it doesn't sound like you learned much from it. Next time you might not be so lucky.

The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?

RE: Re: Actually it IS critical

"Here's another similar example. I know a doctor who won't go into the office in the mornings until after he's had his morning joe. Whether he should rely on coffee this way or not is irrelevant, he just does. Now nobody can argue that medical care isn't critical so that makes the national coffee supply "critical infrastructure" too. If you don't think the coffee supply is critical infrastructure, you haven't been paying attention to the real world."

Well, AC, your example doesn't qualify since one (1) doctor!=medical care for a large number of people. Disruption of basic utilities to millions of people, including the power to your doctor's coffee pot, does qualify.

Re: Re: Real-life story

> Then your group wasn't very prepared or competent. To expect local communications systems to survive a hurricane is foolish.

We were outside of the storm strike-zone waiting to go in. The failure wasn't local, it was nearly state-wide.

We were a volunteer crew that shipped in from out-of-state. You might think that a state that faced so many hurricanes would have a more robust communications system, at least for its emergency services. You might also think it would make sense for Fire and Police to be able to talk to each other on the same radios. After 9/11 the newly formed DHS ear-marked hundreds of millions to upgrade these systems, but none of it has yet filtered down to the people who buy the radios or use them.

I wish I could say it was only Louisiana. Unfortunately most areas of the US don't have enhanced-911, and some still don't have any form of 911. There are more than a few of us in EMS that hope someday soon the internet can provide what the states and telcos haven't.

> Do you even know what "infrastructure" means?

Typically it is the public facilities and services needed to service and support development e.g. roads, electricity, sewerage, water, health and education facilities. But in the IT infrastructures we also see that it is the architectural elements, organizational support, corporate standards, methodology, data, and processes, as well as the physical hardware/network. This also applies to the Safety & Security infrastructure which is as much a logical construct as a physical one, including both fixed and mobile facilities, dispatch systems, protocols, and when they are working, communications systems. OK, so the airplanes and trains were a bit of a stretch - I was trying to make a point.